Attaining Nirvana with Oracle Database Security

A recent study from Forrester states, a comprehensive database security strategy should focus on proactively protecting data from internal and external attacks, minimizing data exposure to privileged IT users, and securing all databases, including production and non-production. As most enterprises often focus on perimeter-based network security, low importance has been given to database security.

Stunning statistics that force us to re-think database security

In order to address several of the above threats, Oracle provides a number of options to secure the database environment. Its extremely important for DBAs, security architects to understand these capabilities and implement appropriately. But remember, not all these options come without writing few more checks to Oracle.

Where do I start?

Recently, I attended a DB security session by Tom Kyte that helped me to draft a better enterprise db security strategy. An important first step is to understand where all our sensitive data resides, do we even know our data is breached, are we aware of all regulatory mandates, what best practices are we following, where do we see any security holes? I can’t agree more enough with Tom on these questions. Even though these seems pretty obvious, I guess working collaboratively with appropriate teams to get comprehensive answers to those questions will certainly put a better perspective to an upbeat db security strategy. Its very interesting how Oracle put the pieces together to get a categorical overview of Oracle DB security.

Mitigate Database bypass

Securing the data with proper authentication and encryption is significant in mitigating database bypass. Since there are several ways to bypass the database and still access the sensitive data via other means, paying attention to Oracle’s Advanced Security Option’s Transparent Database Encryption (TDE), provides significant value to transparently apply encryption within the database without impacting existing applications. TDE provides the benefit of encryption without the overhead associated with traditional database encryption solutions that typically require expensive and lengthy changes to applications, incl. database triggers and views. More so, TDE works perfectly with RMAN and other database backup tools. In RMAN’s case, it decrypts, compress, and re-encrypt the tablespaces. TDE doesn’t have any restrictions even when using DataGuard, Streams or even Golden Gate. Performance impact is well below 5 % and thus should not be a concern.

Prevent Applications bypass

As organizations have multiple roles with in DBAs such as Security DBA, Application DBA, Production support DBA, etc. segregation of DBA duties becomes significantly important. Oracle’s Database Vault comes in handy to protect application data from the DBA and other powerful users as well as implementing robust controls on access to the database and application. With ODV, realms restrict access to sensitive data. Enforce controls over whom, when and how the data can be accessed using rules and factors.

Consolidate auditing and compliance reporting

As its becoming inevitable for organizations to understand data accessibility, its imperative to have a report pool to get needed accessibility data. Moreover, when it comes to DB security, many of us rush to conference rooms to work on postmortem analysis on breaches as oppose to taking pro-active approaches. In such scenarios Oracle Audit-Vault comes in handy. It works even with non-Oracle databases too. Interestingly, Oracle Audit Vault includes dozens of out-of-the-box reports. Reports related to Sarbanes-Oxley (SOX), Health Insurance Portability Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS) can be easily accessed from the Oracle Audit Vault dashboard.

Even though Oracle EM helps in monitoring and even blocking certain threats, Oracle Database Firewall is a nice fit to further secure Oracle DB environment. Oracle Database Firewall acts as a first line of defense for databases, providing real-time monitoring of database activity on the network. Oracle Database Firewall is installed on the network either on a bridge or a span port and monitors every SQL transaction request. It even integrates with F5 BIG-IP Application Security Manager using a plug-in connector. It protects against application bypass, SQL injection and similar threats. Simply put, Oracle Database Firewall is easy to deploy but the benefits are simply great. One best practice, ‘prevent all DDL in production by default’, can be prevented using db firewall.

Production databases Protection

Finally, a product that can help without puncturing corporate balance sheets. Since OEM scans databases against 400+ best practices and industry standards, OEM can play a significant role in securing database life-cycle strategy and can be core part of your enterprise database security. It becomes even more vital tool for automated patching and secure provisioning.

Non-Production database Protection

When we scrumming to protect production database, we pay far less attention in protecting non-production databases. At times, organizations try to address non-production db protection most with custom hand-crafted solutions or re-purposed existing data manipulation tools within the enterprise to solve this problem. Oracle Data Masking is yet another option to be considered to mask sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other non-production purposes. Oracle Data Masking supports masking of sensitive data in heterogeneous databases such as IBM DB2 and Microsoft SQLServer through the use of Oracle Database Gateways.

Even though this article sounds like a marketing propaganda for Oracle’s Database security tools, I personally wanted to understand the tools and capabilities that Oracle provides to secure our enterprise database environment. Before making any viable security enhancement decisions, I wanted to ensure that we have a full picture in play. Especially in Oracle shop such as ours, its obvious that we look for a strong natural security integration at lower TCO but can come mostly from a single vendor such as Oracle to avoid cobbling together point solutions.

This article has been written from what I learned from DB security sessions presented by Tom Kyte, research articles from Forrester, Oracle MOS, etc. Thanks Tom for all the valuable information.

Reference documents library

Even though Oracle provides several advanced security tools at a price, its highly recommended that you complete at least the below basic checklist.

About Sunthar TharmalingamBio: Sunthar is an Oracle Certified Professional with over 14 years of experience in multifaceted architectural design and implementation of mission-critical global Oracle Applications. He provides technical leadership to the enterprise project teams and manages the comprehensive implementation life-cycle. Sunthar has exhaustive hands-on competencies in vital Oracle technologies such as Oracle E-Business Suite, Databases, OBI Applications, Oracle Identity Management and Webcenter suites.
This Blog has been categorized according to the Oracle products that integrates with Oracle E-Business Suite. Should you wish to participate as an author for a related module or category please register as a member and mail me to let me know which category you would like to write under.

One Response to Attaining Nirvana with Oracle Database Security

The statistics are incredible but yet I still find end users ignore the dangers until it’s too late. As a partner I have particularly been trying to highlight (to my customers) the threat around internal data theft and how easy it is for a DBA to access sensitive information (production or non production) undetected.